Google's 2FA feature raises security concerns.
TL;DR Summary
Google Authenticator's new feature to backup 2FA data into the cloud and restore it onto other devices has been found to be unencrypted, making the seeds available to Google and anyone with a search warrant for the data. Researchers advise against using the new syncing feature until Google adds a passphrase feature to encrypt the upload before it leaves the device. Google has responded by admitting that it intentionally released the feature without end-to-end encryption but has plans to offer it down the line.
- Google leaking 2FA secrets – researchers advise against new “account sync” feature for now Naked Security
- Google's New 2FA Isn't End-to-End Encrypted, Tests Show Gizmodo
- How to Finally Use Google Authenticator Without Your Phone Lifehacker
- Google on why Authenticator sync isn't E2E encrypted, but option coming later 9to5Google
- Why you shouldn't turn on Google Authenticator's cloud sync feature Ghacks
Reading Insights
Total Reads
0
Unique Readers
1
Time Saved
7 min
vs 8 min read
Condensed
94%
1,491 → 84 words
Want the full story? Read the original article
Read on Naked Security